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A method for controlling connections to a mobile station 

TECHNICAL FIELD OF THE INVENTION 

5 The present invention relates to communication networks capable of 
ciphering and deciphering and especially to a method for managing keys. 

BACKGROUND OF THE INVENTION 

10 Radio transmission is by nature more prone to eavesdropping and fraud than 
fixed wire transmission. Listening to communications is easy and docs not 
require access to special locations. The GSM ceUular system has alleviated 
this problem by introducing authentication and encryption or ciphering. Next 
the GSM authentication and ciphering procedures are explained shortly in 

15 reference with Figure 1 . More details can be found for example in Mouly et. 
al.: "The GSM system for mobile communications". 

Figure 1 illustrates current GSM system incorporated with a general packet 
radio or GPRS network. The complete network comprises three different 

20 functional sub-networks. Radio access network comprises Base Station 
Controllers or BSC'S 30 (only one is shown) and Base Stations or BS's 20, 
The first core network comprises Mobile Switching Center with Home 
Location Register or MSCAT-R 40 and a Home Location Register with 
Authentication Center or HLR/AuC 50. The first core network comprises 

25 additional MSCAHJl's and HLR/AuC's, which are not shown for the sake of 
simplicity. The second core network is a packet network and comprises 
Serving General packet Service Node or SGSN 60. The second core network 
comprises additional General packet Service Nodes or GSN's, which are not 
shown for the sake of simplicity. 

30 
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When a mobile 10 accesses the fust core network it registers itself in the 
MSaVUi 40. After receiving the registration request or a service request 
from the mobile, the MSCAO^ 40 transmits to HLR/AuC a request including 
- ' IMSI to aqcuirc authentication triplets consisting of RAND. SRES and Kc. In 

5 GSM it is the MM or the mobility management protocol that implements the 
functionality for the authentication. Also, the control of the ciphering, ie. the 
abiUty to turn ciphering on and off, is at MM level. The triplets are of a 
pi«ieteimined length and calculated by using a secret key Ki, known only to 
the authentication center. After receiving the triplets from HLR/AuC the 
10 MSOVLR sends the chaUenge. RAND, to the MS in an authentication 
request to authenticate the MS. As part of the succesful registration, the 
MSCAOJl updates the location of the MS to HLR and downloads the 
subscriber data from HLR. 

15 The mobile 10 has a secret key Ki in it's SIM card. The secret key Ki is stored 
on subscription by the operator and is not visible for the users of the mobile 
or for any other party for that matter. It is identical to the secret key Ki stored 
in the Authentication Center 50. The secret key Ki is applied togeflier with the 
random number RAND into a predetermined algorithm called A3 u> produce 
20 a signed response SRES. The mobile 10 then transmits a message containing 
SRES to the MSCAO^R 40, which compares it with the SRES received from 
the AuC 50. If the comparison is succesful, the mobile 10 is authenticated and 
allowed to access the network. At the same time with calculating the SRES, 
the mobile and the AuC apply RAND and Ki to another predetermined 
25 algorithm called A8 to produce a ciphering key Kcl. If the authentication 
was succesful and the network so decides, all subsequent transmissions with 
the mobile 10 over the air interface are ciphered. For this the MSCAO-R 
transmits the ciphering key Kcl to that of the BSCs which is in 
communication with the mobile 10, and the BSC subsequentiy deliveres the 
30 Kc further to the BTS communicating with the MS and the ciphering or 
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encryption takes place in the base station and the n^obile according to yet 
another predetermined algorithm, for example A5. 

If the mobile wants to access the second coie network it registers itself in the 
5 SGSN 60. The procedure for authentication is similar to the procedure with 
the first core network, widi the exception that the ciphering key Kc2 is not 
transmitted to the base station (BSS part of the system) currently m 
communication with the mobile 10. In other words, the ciphering is in SGSN 
and in MS. The SGSN 60 retains the ciphering key Kc2 within itself and 
10 performs the ciphering. 

Thus, the prior art system uses different ciphering keys for ciphering the 
communications with two different core networks and the ciphering is applied 
to two different radio connections as the radio channels used communications 
with MSC and SGSN are distinct. As a result, a GSM MS having 
simultaneous communications with both MSC and SGSN utilizes two 
ciphering keys to two different radio channels or connections having both 
theii own independent conUiol in the network. 

20 The fact that the ciphering and the control of the ciphering takes place at 
different locations, may cause consistency problems and tiie fact that radio 
access network is not able to access the signalling messages of the second 
core network at all may turn out to be problematic in fuhire networks when all 
radio recources used by a specific user should be managed in conjunction in a 

25 system having two CN nodes controlling the ciphering. In this case, the radio 
resouix:es reserved for simultanous connections to MSC and SGSN should be 
managed by a single entity in the radio access network part of the system, bat 
still there are two entities controlling the ciphering. 



15 
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However, in proposed that in UMTS there wiU be only one RRC or radio 
resouce control protocol, controlling both the connection to the MSG and to 
the SGSN- If only one key used at a time, the problem is, how to 
communicate the SGSN that its key is not going to be used. Yet another 
problem, relates relates to handovers controlled by a CN entity. 

It is therefore an object of the present invention to efficiently manage the 
ciphering keys and algorithms for ciphering and deciphering user data 
communicated between different core networks and one mobile station. 

It is another object of the present invention to efficiently manage the 
ciphering keys and algorithms for ciphering and deciphering signalling data 
communicated between different core networks and one mobile station. 

15 It is still another object of the present invention to efficiently transfer the 
ciphering parametera when the serving radio network controller is handed 
over to another radio network controller, which then becomes a new serving 
radio network controller. 

20 SUMMARY OF THE INVENTION 

The present invention is a novel and improved method for managing the 
ciphering keys and algorithms used for encrypting or ciphering the 
commtmications of a specific mobile station with multiple core networks or 
25 core network entities in a single location. Futher another aspect of the 
invention is that the management location is movable as the mobile station 
moves within the radio access network. 



The preferred embodunent of the present invention relates to a 3*^ generation 
30 mobile network, for which abbreviations UMTS or WCDMA are used. The 
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network is shown in Fig. 2. The network comprises multiple subnetworks. 
The radio access network or UTRAN (UMTS Terrestial R^dio Access 
Network) comprises multiple Radio Network ControUers or RNC's 130 each 
of which controls multiple Base Stations or BS's 120. The first core networic 

5 comprises a Mobile Switching Center with Visitor Location Register or 
MSC/VLR 140 and a Home Location Register with an Authentication Center 
or HLR/AuC 150. The first core network comprises additional MSCAT-R's 
and HLR/AuCs, which are not shown for the sake of simplicity. The second 
core network is a packet network and comprises Serving General packet 

10 Service Node or SGSN 160. The second core network comprises additional 
General packet Service Nodes or GSN's, which are not shown for the sake of 
simplicity. Note that the UTRAN may be connected to another operators core 
network or a third core network similar to the first core network. 

15 Since the air interface access method is CDMA, the mobile 1 10 is capable of 
communicating vith muldple base stations at the same time (called soft or 
diversity handover). When that occurs, all transmissions from the mobQe 110 
are directed to one RNC, called serving RNC or SRNC, in which the 
transmissions are combined into one transmission for farther sending towards 

20 the intended core network. 

In the preferred embodiment a mobile station establishes communication with 
one core network or core network entity or vice versa. In the establishment 
the network requests mobile to authenticate itself as explained above. At the 

25 same time with the authentication the mobile and the network (or CN node) 
calculate identical ciphering keys Kcl. In the preferred embodiment of die 
invention the core network or core network endty which calculated the 
ciphering key does not start ciphering user data or signalling messages but 
generates and transmits a message conqprising the key and data indicative of 

30 the algoriflim to be used to a ciphering controller 180, which is preferredly 
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located in the serving radio network controUer. The ciphering controller 
receives said message and starts ciphering the data and signalling messages 
flowing ftom the core network towards to mobile station and to decipher the 
data and signalling messages flowing from the mobile to the core network. 

5 

In the preferred embodiment of the invention another core network or 
network entity may estabUsh communication with the mobile station or vice 
versa while the communication with the fu-st core network is still active. The 
second core network or network entity authenticates the raobUe and second 

10 ciphering keys Kc2 are calculated. Then, as decribed above, the second core 
network genCTates and transmits a second message comprising the second key 
and data indicative of the algorithm to be used with the second key to the 
ciphering controller. The ciphering controller receives said second message 
and compares the first and second ciphering keys and the related algorithms. 

15 n the first and second ciphering keys and the related algorithms are equally 
reUable, the ciphering controUer ciphers and deciphers data and signalling 
messages to and from the first and second core networics with the key and 
algorithm it was using already. However, if the second ciphering key and it's 
related algorithm provide improved encryption the ciphering center starts 

20 using the second key and it's related algorithm for the communication with 
the first core network as well. This will result in that ciphering control wiU 
generate and tnd transmit MS a message commanding it to act accordingly. 



In another embodiment of the present invention the respective different keys 
25 are used for ciphering user data in different communications but the key and 
it's related algorithm with higher ciphering capabilities are used for ciphering 
the signalling messages to and from both core networks. 



In yet another embodiment, after receiveing the message containing the 
30 second ciphering key Kc2, the ciphering control acknowledges said message 
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with another message containing information indicative of the selected 
ciphering key and algorithm. 

In another embodiment, there is only one entity controlling the ciphering in 
5 CN, 



In another embodiment the is an interface between the two ciphering control 
cntites in CN providing the required coordination. 




10 In the preferred embodiment of the present invention it is possible that the 
commnnications to the mobile station are rerouted via another serving radio 
network controller. Should this occur, the parameters used for ciphering and 
deciphering (along with other parameters required to establish the 
communication via the target controller) need to be transferred to the new 

15 location of the ciphering controller via CN. This is done by signalhg the 
parameters transparently through the corresponding core networks. 
Alternatively this may be done by signalling the parameters over lu interfacde 
between radio network controllers. 




20 BRIEF DESCRIPTION OF THE DRAWINGS 



The invention is described in more detail in the following with reference to 
the accompanying drawings^ of which 

25 Figure 1 is an illustration of prior art mobile commimication system. 

Figure 2 is an iUustartion of the UMTS network of the preferred 
embodiment of the present invention. 



30 



Figures 
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Figure 4 

Same reterence numerals are used for similar entities in the figures. 
DETAILED DESCRIPTION 



The ciphering is likely to be done within UTRAN in UMTS^ In the two MM 
option there are two entities, i.e., MSC and SGSN, which may request 
10 ciphering in the radio interface. 

It is assumed that in UMTS the ciphering key and the allowed ciphering 
algorithms are supplied by CN domains to the UTRAN usually in the 
beginning of the connection. Receipt of the ciphering command message at 
15 the UTRAN wiU cause the generation of a radio interface ciphering conamand 
message and, if appUcable, invoke the encryption device and start data stream 
ciphering. The CN domain is noted if the ciphering is executed successfully 
in the radio interface and the selected ciphering algorithm, 

20 When new connection is estabhshed from other CN domain, which is not 
having any connection to the UE, the new CN domain also supplies the 
ciphering key and the ciphering algorithms allowed to use to UTRAN in the 
beginning of the connection. Ttds is due to the fact CN domains are 
independent from each other. 



If it is assumed that only one ciphering key and one ciphering algorithm are 

used for all connections, this leads to a situation, in which there are two 

« 

ciphering keys suppUed from CN domains and only [one of them is used. 



' The security requirements for UMTS Is still ior further study^ 
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To handle this situation, XJTRAN must select either one of the ciphering keys. 
If there are no differences between the ciphering requirements' requested by 
two CN domains then, e.g., the first ciphering kfcy and the algorithm is 

5 maintained (see Figure 3 ). 

As a result of the selection of the ciphering key between two different CN 
domains (if both CN domains have active connectio^(s) to the UE) either one 
of the CN domains does not know the correct ciphering key used for the 
10 connection(s). Only UTRAN and UE know the corr«:t ciphering key used. 

It may be required to use one ciphering key for, e.g.', one radio access bearer. 
Different user plane bearers are ciphered by different ciphering keys supplied 
by the CN domain respectly. However, in the control plane^ only one 
15 ciphering key is used and therefore in the control plane there must be 
coordination between ciphering keys supplied by CN domains. 

I 

The coordination in the control plane is similar to ivhat is presented for one 
ciphering key used in UTRAN option (ch. 2.1). In tie control plane, UTRAN 
20 must select either one of the ciphering keys suppliedifrom CN domains if both 

CN domains are active. j 

In GSM, when inter-BSC handover is performed, MSC sends the ciphering 
key and allowed algorithms to tfie target BSC in thd BSSMAP HANDOVER 
25 REQUEST message. In GPRS, because the SGSN pprforras the ciphering, the 
inter-BSC handover does not cause any needj for the ciphering key 

i 

management- j 

1 

E.g. a requirement for more efficient ciphering algorithm tha| is currently used for the 
'^^^^hSel'the control plane means^the RRC connection bitween the UE and UTRAN. 

) 
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For UMTS, the GSM approach is not appUcable on tjie serving RNC (SRNC) 
relocation, because CN domains do not necessary kijow the correct ciphering 
key used as it is described above. \ 

i 

It is recommended that the ciphering key is transfer|-ed in the transparent (to 
CN) UTRAN information field from the som-ce RNci to the target RNC in the 
RANAP SRNC REQUIRED and RANAP SRNC REQUEST messages (see 
Figure 4). In this way the correct ciphering key is] transferred to the target 
RNC. 



30 



In the handover from UMTS to GSM, the ciphering key cannot be transferred 
transparendy like it is proposed for UMTS. The CN |[or IWU) has to build the 
BSSMAP HO REQUEST message, having the ciphering key from the MSC. 
2G-SGSN receives its ciphering key from the old 3G-SGSN via Gn-interface 

\ 
I 

as it is done in GPRS. • 



If the ciphering keys used in UMTS are different compared to GSM. e.g., the 
ciphering key length is different, both MSC and SGSN ciphering keys must 
be changed in UMTS-GSM handovo:. 

In GSM. the A-interface BSSMAP supports a transparent field in the 
BSSMAP HO REQUIRED and HO REQUEST messages, which allowes to 
utilize the proposed solutioa also GSM CN connected to the UTRAN. 

In view of the foregoing description it will be evident to a person skiUed in 
the art that various modifications may be made within the scope of the 
invention. While a preferred embodiment of the invsntion has been described 
in detail, it should be apparent that many modificatians and variations thereto 
are possible, all of which fall within the true spirit aad scope of the invention. 
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Claims 

1. A mobile system 

2. A method 

3. A network element 

4. A method of handing over 
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SGSN 



MSG 



Kay from SGSN is offered, but not taken into use 

/ 



Key provided by M6C is utilized the whole duration 



Time 



Figure 3. One ciphering key use in the UTRAN 
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SflNC re!0C&1ion required 
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[^UTRAN into: KcJ 

SRNC relocation required 



j^UTRAN info: K^j 



6RNC relocation request 



J^UTRAN info: Kcj 



new RNC_ 



SRNC relocation requesl 



^UTRAN info: Kcj 

SRNC relocation ACK 



SRNC relocation ACK 



Figure 4. The ciphering key transfer in SRNC relocation procedure 



